b"      SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nAudit Report\n\n\n\n\nOIG-10-045\n\nFOREIGN ASSETS CONTROL: OFAC Should Have Better and\nMore Timely Documented its Review of Potential Sanctions\nViolations\n\nSeptember 1, 2010\nThis report was originally designated as sensitive but\nunclassified. Subsequently, it was determined that this\ndesignation is unnecessary, and it has been removed.\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\n      SENSITIVE BUT UNCLASSIFIED\n\x0c\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\nContents\n\n\n\nAudit Report.................................................................................................. 1\n\n    Results in Brief ...............................................................................................2\n\n    Background ................................................................................................. 7\n\n    Findings and Recommendations .....................................................................11\n\n        OFAC Did Not Appropriately Document Its Participation in FRB-NY\xe2\x80\x99s\n        Fedwire Integrity Pilot Program ................................................................ 11\n\n        OFAC Needs to Determine, in Consultation with Treasury\xe2\x80\x99s Office of\n        Intelligence and Analysis, the Appropriate Sensitivity Level of the Program ..... 19\n\n    Recommendations ....................................................................................... 23\n\nAppendices\n\n    Appendix     1:      Objectives, Scope, and Methodology ......................................               28\n    Appendix     2:      Management Response .........................................................           30\n    Appendix     3:      Major Contributors to This Report ...........................................           34\n    Appendix     4:      Report Distribution ................................................................    35\n\n\nAbbreviations\n\n    FRB-NY                    Federal Reserve Bank of New York\n    OFAC                      Office of Foreign Assets Control\n    OIG                       Office of Inspector General\n    SBU                       Sensitive But Unclassified\n    SDN                       Specially Designated Nationals and Blocked Persons\n\n\n\n\n                         OFAC Should Have Better and More Timely Documented its Review                        Page i\n                         of Potential Sanctions Violations (OIG-10-045)\n\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n         This page intentionally left blank\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page ii\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n                                                                                       Audit\nOIG\nThe Department of the Treasury\n                                                                                       Report\nOffice of Inspector General\n\n\n\n\n                       September 1, 2010\n\n                       Adam J. Szubin, Director\n                       Office of Foreign Assets Control\n\n                       This report presents the results of our audit of the Office of Foreign\n                       Assets Control (OFAC) participation in the Federal Reserve Bank of\n                       New York\xe2\x80\x99s (FRB-NY) Fedwire Integrity Pilot Program.\n\n                       From 2004 through early 2006, FRB-NY periodically compared a\n                       sample of names from OFAC\xe2\x80\x99s Specially Designated Nationals and\n                       Blocked Persons (SDN) list against a moving history of Fedwire\n                       transactions to determine whether depository institutions\n                       appropriately blocked transactions involving selected SDNs. 1 FRB-\n                       NY conducted searches for 8 samples of 10 SDNs each, selected\n                       from a subset of 198 SDNs provided by OFAC. OFAC selected this\n                       subset from the thousands of names on the SDN list. 2 FRB-NY\xe2\x80\x99s\n                       searches yielded 305 transactions containing a potential match\n                       with an entry on the SDN list, with a total value of more than $11\n                       million. 3 Although FRB-NY believed its search results confirmed\n                       that the overwhelming majority of financial institutions were\n                       properly screening for names on the SDN list, it lacked the\n                       customer data to make a final determination. Accordingly, FRB-NY\n                       provided these results to OFAC through the first quarter of 2006,\n                       after which FRB-NY terminated the program. We were first\n1\n  Specially designated nationals are organizations and individuals, including terrorist organizations,\nindividual terrorists, and state sponsors of terrorism, that are restricted from doing business with U.S.\ncompanies and individuals. The list is categorized by sanction programs for specific countries, such as\nCuba, Burma, and the Balkans, or by sanction programs for specific activities, such as Global Terrorism\nDesignation, Specially Designated Narcotics Traffickers, and Nonproliferation of Weapons of Mass\nDestruction\n2\n  As of January 2008, the SDN list totaled 7,363 names\xe2\x80\x943,731 primary names and 3,632 secondary,\nor \xe2\x80\x9calso known as,\xe2\x80\x9d names.\n3\n  FRB-NY referred to these potential matches as potential \xe2\x80\x9csuspicious activities.\xe2\x80\x9d The transactions were\nsent to OFAC to determine whether they were positive matches.\n\n                       OFAC Should Have Better and More Timely Documented its Review               Page 1\n                       of Potential Sanctions Violations (OIG-10-045)\n\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                        SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n               informed by OFAC of this program in November 2005 during\n               another audit, when OFAC stated that the program provided\n               evidence of a high degree of compliance by financial institutions\n               with OFAC sanctions.\n\n               Our objectives were to determine (1) how OFAC used the Fedwire\n               Integrity Pilot Program results to broadly assess financial\n               institutions\xe2\x80\x99 compliance with its sanction programs and (2) whether\n               OFAC took enforcement action when a violation was identified\n               from the FRB-NY referrals. To accomplish our objectives, we\n               interviewed OFAC and FRB-NY officials and reviewed related\n               documentation. During our audit, we also noted inconsistent\n               markings of documents OFAC considered to be sensitive so we\n               address that matter in this report as well. Appendix 1 contains a\n               more detailed description of the audit objectives, scope, and\n               methodology.\n\n               Issuance of this final report was delayed due to other priority work\n               by our office. The other priority work principally relates to an\n               unprecedented number of reviews of failed financial institutions\n               that we are required to perform under the Federal Deposit\n               Insurance Act.\n\n\nResults in Brief\n               Limited OFAC Documentation\n\n               OFAC officials said its analysis of FRB-NY\xe2\x80\x99s potential matches\n               confirmed the FRB-NY\xe2\x80\x99s initial conclusions, that the overwhelming\n               majority of financial institutions using Fedwire properly screened\n               their transactions for compliance with OFAC sanctions. OFAC did\n               not, however, provide us with adequate documentation to support\n               the activities or analysis it used to reach this conclusion.\n\n               Despite our repeated requests between November 2007 and March\n               2008, when we conducted our audit fieldwork, OFAC officials\n               could not present to us the criteria used to select the subset of\n               SDN names provided to FRB-NY, the analysis applied to the 305\n\n               OFAC Should Have Better and More Timely Documented its Review   Page 2\n               of Potential Sanctions Violations (OIG-10-045)\n\n\n                        SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\npotential suspicious transactions identified by FRB-NY, or the\nresults of what was done with the potential suspicious transactions\nthat were identified by the FRB-NY. Furthermore, we also\nrequested but did not receive OFAC\xe2\x80\x99s written policies and\nprocedures for reviewing the potential suspicious transactions, for\ndocumenting its analyses and conclusions, or for taking follow-up\naction when necessary. Given its limited scope, we believe that\nany broad conclusion about screening by financial institutions for\nOFAC compliance from just the results of this program is not\nprudent.\n\nDuring our audit fieldwork, OFAC did not provide sufficient,\nappropriate evidence of its review of the FRB-NY referrals. At the\nexit conference in June 2009, OFAC presented two sets of\ndocumentation regarding its actions on the referrals that we had\nnot previously been given. The difficulty we encountered in\nobtaining the evidence of OFAC\xe2\x80\x99s review earlier in the audit points\nto, among other things, a need for OFAC to do a better job of\nmaintaining proper records of its programs and operations.\n\n\xe2\x80\xa2   The first set of documentation was to support an OFAC review\n    of the FRB-NY referrals that OFAC officials said was conducted\n    in November and December 2007. The evidence presented\n    consisted of notes (i.e., sticky notes) dated November 29,\n    November 30, and December 12, 2007, that OFAC staff\n    attached to copies of the eight e-mail referrals from the FRB-NY.\n    The notes indicated OFAC\xe2\x80\x99s determination that the hits did not\n    match entities and addresses on the SDN, and thus were false\n    hits. OFAC officials said we should have had the original notes\n    at the time and could not explain why we did not have them.\n\n    The documentation contained handwritten notations that were\n    not on the copies of these documents we were provided on\n    November 28 and 29, 2007. We were unable to confirm the\n    determinations with the author of the notes, who is no longer a\n    federal employee, and thus we are unable to reach a conclusion\n    about the nature of the review conducted. The former OFAC\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 3\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n    staff member who made the determinations was unresponsive\n    to our request for an interview.\n\n\xe2\x80\xa2   The second set of documentation consisted of an OFAC review\n    of the FRB-NY referrals that was performed between May and\n    June 2009 after we provided OFAC with a discussion draft of\n    this report. In this regard, OFAC performed the analysis in\n    response to our discussion draft report recommendation to\n    investigate the potential suspicious transactions FRB-NY\n    provided to OFAC in the years 2004, 2005, and 2006, and\n    document the results. While this analysis provides a\n    determination about the potential hits, it does not provide\n    adequate documentation of OFAC\xe2\x80\x99s review. The author and\n    date of the review are not identified. Also, the methodology\n    used to perform the review is not described. In short, this\n    documentation does not provide an audit trail to adequately\n    support the review of the FRB-NY referrals. That said, based on\n    the assertions by OFAC senior management and considering the\n    documentation provided, although inadequate, we accept that a\n    review of the potential hits was performed.\n\nOFAC officials also provided at the exit conference a 2005 internal\ne-mail that referenced one of the potential hits. OFAC took\nenforcement action in November 2008 for this 2005 violation,\nabout 3 years after the potential hit had been referred from FRB-NY\nand after our fieldwork was completed. The enforcement action\ntaken was a cautionary letter to the financial institution warning\nthat another violation would be dealt with more strongly.\n\nUnclear Basis for Marking Documents Sensitive\n\nOFAC officials told us that the Fedwire Integrity Pilot Program\nshould be treated as sensitive and that public disclosure of the\nprogram would cause harm to the government. However, they\nwere unable to explain or otherwise provide a defendable basis as\nto why they held this belief. FRB-NY considered the program to be\nsensitive, but from a business propriety standpoint. Additionally,\nwe noted that OFAC marked certain related documents as\n\nOFAC Should Have Better and More Timely Documented its Review   Page 4\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                      Sensitive But Unclassified (SBU) but did not mark other documents\n                      containing the very same information.\n\n                      Recommendations\n\n                      We are recommending that OFAC (1) establish policies and\n                      procedures for reviewing referrals of potential violations of OFAC\n                      sanctions, to include documenting the research and conclusions\n                      derived from its analyses, and actions to be taken based on the\n                      identification of potential matches to the SDN list; (2) inform our\n                      office of the report\xe2\x80\x99s sensitivity level and specific information that\n                      cannot be disclosed; (3) periodically re-assess with FRB-NY\n                      whether the Fedwire Integrity Pilot Program should be\n                      re-established; (4) determine, in consultation with Treasury\xe2\x80\x99s Office\n                      of Intelligence and Analysis, the appropriate sensitivity level of the\n                      program based on Treasury Security Manual criteria; and (5) based\n                      on that determination, appropriately mark and secure program\n                      documentation in accordance with the Treasury Security Manual.\n\n                      Management Response\n\n                      In its response, OFAC referenced, for the purpose of context, an\n                      April 2002 audit report issued by our office that emphasized the\n                      importance we attributed to the federal banking regulators'\n                      examination process in monitoring compliance with OFAC\n                      sanctions by financial institutions. In that report, we concluded that\n                      transaction testing was a critical component of the examination\n                      process. 4 Following the publication of the 2002 audit report,\n                      FRB-NY decided to test the integrity of its Fedwire system, as well\n                      as compliance by its participants, by screening the details of\n                      billions of discrete transactions sent through the Fedwire system by\n                      U.S. banks against a sample of names from OFAC's SDN list.\n\n\n\n\n4\n  Office of Inspector General, FOREIGN ASSETS CONTROL: OFAC's Ability To Monitor Financial\nInstitution Compliance Is Limited Due To Legislative Impairments (Report OIG-02-082; issued April 26,\n2002)\n\n\n                      OFAC Should Have Better and More Timely Documented its Review              Page 5\n                      of Potential Sanctions Violations (OIG-10-045)\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nOFAC noted that in August 2004, FRB-NY tested four and a half\nyears worth of archived transaction history, covering some\n450,000 wire transfers each day totaling almost six billion discrete\ntransactions, against a sampling of OFAC targets. In transmitting\nthe results, FRB-NY told OFAC that it believed that its search\nresults confirmed that the majority of financial institutions that use\nthe Fedwire system were properly screening for names on the SDN\nlist. In October 2004, FRB-NY conducted the same test using\ndifferent SDN names. It reached exactly the same conclusion\xe2\x80\x94that\nthe majority of financial institutions that use Fedwire were properly\nscreening for names on OFAC's SDN list. The exercise was\nrepeated 8 times with substantially similar findings resulting in the\nsame FRB-NY conclusion.\n\nIn 7 of the 8 tests that FRB-NY conducted, it identified a handful of\npotential hits which it referred to OFAC. OFAC was able to\ndetermine that all but one of those potential matches were either\nfalse hits or authorized by a general or specific license issued by\nOFAC. There was only one item that required an enforcement\naction against a bank in the form of a cautionary letter. While\ndocumentation of its actions could have been better, OFAC\nbelieves that its policies and procedures worked and all action that\nneeded to be taken was taken. OFAC believes that the program\nwas an effective tool in measuring compliance with U.S. sanctions\nregulations by the U.S. financial community and will assess with\nFRR-NY whether to re-establish Fedwire Integrity.\n\nWith respect to our first recommendation above, OFAC stated that\nassessing potential matches to the SDN list is a vital function for\nOFAC, both internally and in its outreach and compliance functions.\nOFAC has detailed procedures for reviewing inquiries about\npotential SDN matches which are on its Web site. Using these\ncriteria, OFAC said it determined very quickly that the great\nmajority of transactions transmitted by FRB-NY were either false\npositives or were authorized by OFAC. OFAC believes that it is of\nno value to log referred questions that are quickly resolved as false\nhits, but instead it carefully documents authenticated hits that are\nblocked or rejected. These are entered into OFAC\xe2\x80\x99s database of\n\nOFAC Should Have Better and More Timely Documented its Review    Page 6\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n             blocked and rejected transactions and reviewed for involvement of\n             any U.S. persons. Individual case files are created for potential\n             violations of U.S. sanctions law and referred for enforcement\n             action as appropriate.\n\n             The underlying program has been properly determined to be SBU\n             pursuant to the Treasury Security Manual and staff involved in this\n             project have been notified about the proper marking and handling\n             of documents related to the program. Furthermore, OFAC stated\n             that it will reassess with FRB-NY whether the Fedwire Integrity\n             Program should be re-established.\n\n             OIG Comment\n\n             With respect to its response to our first recommendation, the\n             process described by OFAC for reviewing inquiries and\n             documenting its review is a reasonable approach, and meets the\n             intent of our recommendation. That said, however, its response\n             was less than complete as to what actions will be specifically\n             taken to address the documentation weaknesses we found during\n             our audit. This is an area that requires continued management\n             attention in our opinion. In recognition of the fact that OFAC is the\n             responsible office for program information, we accept OFAC\xe2\x80\x99s final\n             determination that this report should be designated SBU. With\n             respect to its response that it will reassess with FRB-NY whether\n             the Fedwire Integrity Program should be re-established, OFAC will\n             need to establish and record a planned date for the assessment in\n             the Department\xe2\x80\x99s Joint Audit Management Enterprise System\n             (JAMES).\n\n             OFAC\xe2\x80\x99s response is provided in appendix 2.\n\nBackground\n             OFAC Sanction Programs and the SDN List\n\n             OFAC administers laws that impose economic sanctions against\n             hostile targets to further U.S. foreign policy and national security\n\n             OFAC Should Have Better and More Timely Documented its Review    Page 7\n             of Potential Sanctions Violations (OIG-10-045)\n\n\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                      objectives. In carrying out its functions, OFAC maintains a list of\n                      SDNs containing the names of individuals and entities owned or\n                      controlled by, or acting for or on behalf of, the governments of\n                      target countries or that are associated with international narcotics\n                      trafficking or terrorism or engaged in activities related to the\n                      proliferation of weapons of mass destruction. Unless authorized by\n                      OFAC, all U.S. persons, including U.S. banks, bank holding\n                      companies, and nonbank subsidiaries are prohibited from dealing\n                      with individuals and entities on the SDN list. Unless authorized by\n                      OFAC, banks must block all property and interest in property within\n                      their possession or control in which these individuals and entities\n                      have an interest.\n\n                      The federal banking agencies examine financial institutions under\n                      their supervision to determine the adequacy of the financial\n                      institutions\xe2\x80\x99 OFAC compliance programs. 5 It is a violation of law\n                      if the institution does business with a targeted entity or fails to\n                      block an unauthorized transaction involving an SDN.\n\n                      When it comes to OFAC\xe2\x80\x99s attention that an illicit transaction has\n                      been processed through a U.S. bank without being appropriately\n                      blocked or rejected, OFAC normally sends an administrative\n                      demand for information to the bank requesting an explanation of\n                      how the transaction was processed. OFAC has also imposed\n                      millions of dollars in civil penalties on U.S. banks and companies\n                      for failing to appropriately block or reject illicit transfers involving\n                      a targeted country or SDN. OFAC completed 99 penalties or\n                      settlements totaling a little over $3.5 million in 2008 while\n                      completing 27 penalties or settlements totaling a little over $772\n                      million in 2009. The large dollar increase in 2009 was the result\n                      of substantial settlements with two institutions.\n\n\n\n\n5\n The federal banking agencies are the Office of the Comptroller of the Currency, Office of Thrift\nSupervision, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation,\nand the National Credit Union Administration.\n\n                      OFAC Should Have Better and More Timely Documented its Review            Page 8\n                      of Potential Sanctions Violations (OIG-10-045)\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nFRB-NY Fedwire System\n\nThe Federal Reserve System, among other things, serves as the\nbanker for the U.S. government and operates the Fedwire system.\nFedwire is an electronic funds transfer network operated by the\nFRB-NY. It is usually used to transfer large amounts of funds and\nU.S. government securities from one institution's account at a\nFederal Reserve Bank to another institution's account. It is also\nused by Treasury and other federal agencies to collect and disburse\nfunds. FRB-NY\xe2\x80\x99s Fedwire system consists of a set of computer\napplications that route and settle payment orders and is supported\nby a national communications network. The following diagram\ndepicts the process:\n\nFigure 1: The Fedwire Process\n                 Acknowledgement                       Advice of Credit\n                                      Fedwire                            Bank B\n                                                                      (Fedwire Bank)\n                     Transaction\n                                       Funds\n       Bank A        Data             Service\n    (Fedwire Bank)\n\n                                Federal Reserve Account\n\n                                   Bank A     Bank B\n                                    -$$        + $$\n\n     Originator                                                      Beneficiary\n     (Bank A\xe2\x80\x99s customer)                                             (Bank B\xe2\x80\x99s customer)\nSource: OIG adaptation of a chart provided by FRB-NY.\nNote:   Transaction data includes, among other things, information about the\n        sender, dollar amount of the transaction, receiving bank, and recipient\xe2\x80\x99s\n        account number and address.\n\nAny institution that maintains an account with a Federal Reserve\nBank generally can become a Fedwire participant. Participants use\nFedwire to instruct a Federal Reserve Bank to debit funds from the\nparticipant's own Federal Reserve Bank account and credit the\nFederal Reserve Bank account of another participant. Fedwire\nprocesses and settles payment orders individually throughout the\n\nOFAC Should Have Better and More Timely Documented its Review                 Page 9\nof Potential Sanctions Violations (OIG-10-045)\n\n\n           SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\noperating day. Payment to the receiving participant over Fedwire is\nfinal and irrevocable when the amount of the payment order is\ncredited to the receiving participant's account or when the\npayment order is sent to the receiving participant, whichever is\nearlier. Fedwire participants send payment orders to a Federal\nReserve Bank online, by initiating an electronic message, or offline,\nvia telephone.\n\nScreening of Fedwire Transactions for OFAC Compliance\n\nFRB-NY does not screen electronic Fedwire transactions for OFAC\ncompliance as the transactions are processed. In a September\n1995 letter, OFAC advised FRB-NY that FRB-NY did not need to\ninstitute a review of Fedwire electronic transactions between\ndomestic banks. According to OFAC such a review was redundant\nbecause U.S. depository institutions that clear electronic domestic\ntransactions through Fedwire were presumably already scanning\ntransactions, both domestic and international, for interests of\nentities and individuals subject to the blocking provision of OFAC\nprograms.\n\nFedwire Integrity Pilot Program\n\nBeginning in June 2004 and continuing through March 2006, FRB-\nNY periodically compared a sample of 10 names from a subset of\nthe SDN list provided by OFAC against a historical database of\ntransactions that had been processed through Fedwire. The OFAC-\nprovided subset consisted of 198 SDNs. In total 80 names were\nsampled. FRB-NY compared the sample of SDNs against a 4-year\nmoving history of transactions in the Fedwire database. The\ncomparison included checks of all aliases, related names,\naddresses, and all variations associated with the sampled SDNs.\nAccording to FRB-NY officials, after each search, the sampled\nSDNs were excluded from future searches.\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 10\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                      For any matches that were identified, FRB-NY eliminated all\n                      apparent false positives 6 and matches for transactions that\n                      occurred before the individual or entity was designated an SDN.\n                      FRB-NY then sent all remaining potential matches by e-mail to\n                      OFAC. OFAC was to determine whether any of the names\n                      appeared to be actual SDN matches. OFAC officials said that then\n                      they decide whether to perform additional testing on transactions\n                      that appear to be matches or to issue an administrative subpoena\n                      to the banks involved asking for additional information about the\n                      transaction and the parties involved.\n\n                      FRB-NY provided OFAC with information about the transactions\n                      containing the potential matches to verify that parties involved\n                      were true matches and to determine if the transactions were in fact\n                      violations of OFAC regulations. FRB-NY officials explained that\n                      FRB-NY sent the list of potential matches to OFAC because, unlike\n                      OFAC, it did not have the authority to request the bank customer\n                      information that may have been necessary to verify whether it was\n                      a true match. In addition, according to OFAC officials FRB-NY did\n                      not have the expertise in OFAC regulations to determine, even if it\n                      was a true match, if the transaction was authorized under OFAC\n                      regulations.\n\nFindings and Recommendations\nFinding 1             OFAC Did Not Appropriately Document Its Participation in\n                      FRB-NY\xe2\x80\x99s Fedwire Integrity Pilot Program\n                      OFAC was unable to provide certain key documentation or explain\n                      its actions in connection with the Fedwire Integrity Pilot Program.\n                      OFAC officials could not provide us with documentation as to the\n                      genesis of OFAC\xe2\x80\x99s participation in the program except for a draft\n                      program proposal that FRB-NY prepared to explain the program.\n                      That draft proposal bore little resemblance to what was actually\n\n\n6\n  A false positive is a case in which the name in question is the same or similar to an SDN but other\ninformation on the person, such as geographical information, does not match the information on OFAC\xe2\x80\x99s\nSDN list.\n\n                      OFAC Should Have Better and More Timely Documented its Review          Page 11\n                      of Potential Sanctions Violations (OIG-10-045)\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                       done. OFAC also did not document nor could OFAC officials\n                       explain how OFAC developed the list of SDNs provided to FRB-NY\n                       for use in the pilot program. Throughout our field work and despite\n                       our periodic requests, OFAC could not provide documentation as to\n                       what it did to resolve the 305 potential \xe2\x80\x9chits\xe2\x80\x9d referred to it by FRB-\n                       NY. When we asked OFAC officials what was done, they said that\n                       there had been high turnover of staff who may have worked on the\n                       potential hits. When we asked who the staff were, OFAC officials\n                       said they could not recall.\n\n                       At the exit conference on June 5, 2009, OFAC provided (1) copies\n                       of documents to support its review and analysis of FRB-NY\n                       referrals, in the form of sticky notes written in 2007 on the search\n                       results provided by FRB-NY and (2) a 2005 e-mail between OFAC\n                       officials that described a transaction that resulted in an\n                       enforcement action issued almost 3 years later. These were\n                       documents that we had not previously been provided when we\n                       were given the documents with sticky notes in November 2007.\n                       The additional notations were dated November 29, November 30,\n                       and December 12, 2007, and were also not included on the original\n                       notes we were given on November 28 and November 29. While it\n                       is not clear why these documents with additional notations were\n                       given to us so late in the audit, we accept that the notes support\n                       that analysis was ultimately performed. 7 Nonetheless, OFAC\n                       received the FRB-NY results nearly 3 years earlier beginning in\n                       2004 and OFAC officials, who said review and analysis was done\n                       when the documents were first received, should have documented\n                       the review and analysis performed at that time.\n\n\n\n\n7\n  The notes OFAC officials provided were initialed by a former employee, who is no longer a federal\nemployee. We attempted to interview the individual and exchanged correspondence with the individual\nregarding our interview request. Ultimately, however, the individual was unresponsive to our request. It\nshould be noted that when we asked OFAC officials during our audit fieldwork for the names of staff\ninvolved with activities, they could not recall their names. The first time we learned of the individual\xe2\x80\x99s\nname was from the notes provided at the exit conference in June 2009. The individual was still\nemployed at OFAC at the time of our audit fieldwork.\n\n                       OFAC Should Have Better and More Timely Documented its Review               Page 12\n                       of Potential Sanctions Violations (OIG-10-045)\n\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                     OFAC Did Not Document Its Criteria for Selecting Names Provided\n                     to FRB-NY\n\n                     In May 2004, OFAC provided FRB-NY with a list of 198 SDNs to\n                     search under the Fedwire Integrity Pilot Program. FRB-NY officials\n                     told us that they selected 10 names at random from OFAC\xe2\x80\x99s list for\n                     the 8 searches conducted under the program for a total of 80\n                     names sampled. 8 As noted earlier, the list provided by OFAC was a\n                     subset of names selected from the thousands of names on the SDN\n                     list.\n\n                     We asked OFAC officials for documentation showing how the\n                     subset of names provided to FRB-NY was selected, but they\n                     provided no such documentation. An OFAC investigator involved in\n                     contributing to the list said that he recalled choosing 41 names\n                     that were put on the list. He said that these 41 names were\n                     chosen from over 1,500 names that were categorized as narcotics\n                     traffickers on the SDN list. None of the OFAC officials we\n                     interviewed could explain how the other 157 names were chosen.\n                     Two OFAC officials stated that OFAC wanted to make sure that\n                     the SDN names provided to FRB-NY officials were relevant and\n                     useful for enforcement purposes.\n\n                     In 2006, OFAC provided FRB-NY with another list, this time of 12\n                     names from the SDN list. According to an OFAC official, OFAC\n                     formulated the 12-name list by choosing names of interest and\n                     high-profile individuals from both the Specially Designated\n                     Narcotics Traffickers and the nonproliferation of weapons of mass\n                     destruction categories. OFAC wanted leads to parties that were\n                     dealing with persons or entities on the SDN list in order to identify\n                     additional names to add to the list. OFAC officials did not provide\n                     any further details about the origin of the 12-name list. According\n                     to FRB-NY, this second list was not used to test transactions.\n\n\n\n\n8\n FRB-NY conducted 8 searches. They were conducted in June, August, and October 2004; January\n2005; the first, third, and fourth quarters of 2005; and the first quarter of 2006.\n\n                     OFAC Should Have Better and More Timely Documented its Review      Page 13\n                     of Potential Sanctions Violations (OIG-10-045)\n\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nOFAC Did Not Document Its Activities Related to the Fedwire\nIntegrity Pilot Program\n\nWe asked OFAC officials for documentation to describe the\npurpose, legal authority, and resolution of OFAC activities related\nto FRB-NY\xe2\x80\x99s Fedwire Integrity Pilot Program. The officials provided\na document marked \xe2\x80\x9cdraft-confidential\xe2\x80\x9d that was prepared by\nFRB-NY to describe the program. That document identified two\ngoals for the program. One was to provide OFAC with historical\ninformation from transactions for SDNs prior to their designation\ndates and the second was to provide OFAC with possible violations\nby depository institutions that failed to properly filter and block\ntheir transactions.\n\nFor the first goal\xe2\x80\x94providing OFAC with historical information from\ntransactions involving SDNs prior to their designation dates\xe2\x80\x94OFAC\nwas to review these transactions and provide documentary\nevidence of how this was to be done or whether it was done.\nThough we were not provided with documentary evidence of\nOFAC\xe2\x80\x99s review, OFAC agreed with FRB-NY\xe2\x80\x99s initial conclusion that\nfinancial institutions were compliant with OFAC sanction programs\nand that there was a large drop in the number of transactions\ninvolving SDNs once their names were placed on the SDN list.\n\nRegarding the second goal\xe2\x80\x94identifying possible violators of OFAC\nsanctions\xe2\x80\x94FRB-NY officials said that they filtered out transactions\nconducted prior to an SDN\xe2\x80\x99s designation date, identified the\nremaining transactions as potential matches, and provided OFAC\nwith these potential matches to review. FRB-NY provided OFAC\nwith these potential matches because FRB-NY officials did not\nmaintain customer identification files to verify the names and\nrelated locations generated from their searches. OFAC had the\nauthority to access depository institution information to verify\nwhether the transactions did indeed involve sanctioned parties, and\nif so, whether or not the transactions were processed in violation\nof OFAC regulations. FRB-NY provided the results in eight separate\ne-mails addressed to an OFAC official, including copies of the\nsystem-generated matches. In all but one instance, OFAC officials\n\nOFAC Should Have Better and More Timely Documented its Review   Page 14\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\ndid not believe that these were bona fide violations, but had no\nevidence to show what review was conducted to reach their\nconclusions. When we asked for documentary support and the\nnames of OFAC personnel who analyzed these data so we could\nask the analysts what they did to scrutinize the data, OFAC\nofficials stated that they had no related documentation and could\nnot identify any other OFAC personnel who may have received and\nreviewed these transactions.\n\nOverall, FRB-NY conducted searches for 8 samples, each consisting\nof 10 SDNs for a total of 80 SDNs, and provided OFAC with 305\ntransactions which contained potential matches to the SDN list.\nThe value of all transaction records referred to OFAC totaled more\nthan $11 million. FRB-NY documentation showed that the\ntransactions averaged approximately $37,000, ranging from a low\nof about $87 to a high of approximately $459,000.\n\nAs shown in table 1, in total, FRB-NY\xe2\x80\x99s searches generated 305\ntransactions containing potential matches to the SDN list. These\ntransactions involved potential matches to 16 SDN entities out of\nthe total of 80 tested.\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 15\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                      Table 1: Transactions Referred by FRB-NY to OFAC Containing Potential\n                               Matches to an SDN\n\n\n                                        Number of       Exact     Partial\n                     Timing of FRB-     transactions    name      name      Different   Unknown      Location\n                     NY searches        identified      match     match     location    location     match\n                     June 2004                     11                 11                       11\n                     August 2004                   68                 68                       68\n                     October 2004                  46         4       42          44            2\n                     First quarter\n                                                   55                 55          49                            6\n                     2005\n                     Third quarter\n                                                   12         1       11          10                            2\n                     2005\n                     Fourth quarter\n                                                   21                 21            9                      12\n                     2005\n                     First quarter\n                                                   92                 92          92\n                     2006\n                        Total                    305          5     300          204           81          20\n                     Source: FRB-NY e-mails submitted to OFAC.\n\n                     Notes: 1. According to a FRB-NY official, a second-quarter 2005 search was not\n                               conducted.\n                            2. FRB-NY officials stated that 14 of the fourth-quarter 2005 matches were\n                               positive SDN hits and that 12 of these entities had exact location matches. In\n                               addition, for the entire period reviewed, 5 of the transactions had exact name\n                               matches, 1 of which also had an exact location match.\n\n                      After a repeat request for additional information from OFAC as to\n                      its disposition of these potential hits, we were provided limited\n                      documentation. OFAC provided copies of the FRB-NY e-mails with\n                      the search results and copies of the system-generated matches\n                      FRB-NY provided to OFAC with the e-mails. Throughout our\n                      fieldwork, however, OFAC did not give us documentation to\n                      support its review and analysis of these results. At the June 5,\n                      2009, exit conference, during which OFAC officials provided\n                      comments to the discussion draft report, OFAC officials provided\n                      limited documentation that showed OFAC had reviewed the\n                      potential hits and concluded that most of the hits were false. 9\n                      Only one transaction appeared to constitute a violation of OFAC\n\n9\n In the fourth quarter 2005 FRB-NY search results, 12 matches for one entity were positive hits but\nwere legal payments licensed by OFAC.\n\n                      OFAC Should Have Better and More Timely Documented its Review                   Page 16\n                      of Potential Sanctions Violations (OIG-10-045)\n\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nregulations. The documentation was in the form of sticky notes\nattached to the FRB-NY documentation identifying the potential\nhits. The determinations of matches to the SDN were handwritten\non the sticky notes and were dated November 29, November 30,\nand December 12, 2007. These comments which concluded that\nthe hits did not match the SDN were not present on the sticky\nnotes at the time of our field visit to OFAC headquarters on\nNovember 28, 2007, and were not provided when we again\nrequested all program data near the conclusion of our field work in\nMarch 2008. It should also be noted that these notes do not\nsupport timely review of the potential hits, as they were dated\nalmost 3 years after OFAC received its results from the FRB-NY\xe2\x80\x99s\nsearch of Fedwire transactions.\n\nIn addition, OFAC officials stated that as a direct result of our\ndiscussion draft, they had further prepared in June 2009 a detailed\nsummary of their analysis of FRB-NY search results. This was also\nprovided to us at the exit conference. Similar to the first set of\ndocuments provided to us, this was not adequate. We could not\ndetermine, from this documentation, the official who performed the\nreview, the date the review was performed, or the methodology\nused to determine if the potential hits were positive. OFAC did not\nprovide an audit trail for future reference to this program.\n\nWhen questioned about the timeliness of their review, OFAC\nofficials said they acted timely, but did not document their review\nand analysis in 2005. They cited as evidence of their review an\nenforcement action taken in 2008 for a transaction reviewed in\n2005. OFAC officials presented a 2005 e-mail from an OFAC\ncompliance officer that discussed a review of a transaction\ngenerated from the program. (This was also a document that we\nwere not provided during our fieldwork.) OFAC officials emphasized\nthat this was evidence that they reviewed the transactions when\nthey were received. According to one OFAC official, in March\n2006, OFAC received responses from the financial institutions\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 17\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                       based on information OFAC requested in February 2006, and in\n                       November 2008, issued cautionary letters to the institutions. 10\n\n                       During our fieldwork, OFAC compliance officials stated that OFAC\n                       did not have an audit trail to show what was done with the results\n                       of the program. They said that OFAC had been experiencing heavy\n                       employee turnover and that certain officials who may have been\n                       able to discuss what was done with the results were no longer\n                       with OFAC. We asked for the names of these individuals so that\n                       we could follow up with them directly, but the OFAC officials could\n                       not recall specific names or the units in which they worked. This\n                       remained the case at our June 2009 exit conference.\n\n                       When we asked OFAC officials what policies and procedures they\n                       would have followed when FRB-NY reported the potential matches\n                       to OFAC, they stated that OFAC did not have any written policies\n                       and procedures for performing and documenting its review of\n                       potential matches and taking appropriate action based on the\n                       results. At the exit conference in June 2009, OFAC provided us\n                       with a copy of an excerpt from \xe2\x80\x9cFrequently Asked Questions\xe2\x80\x9d that\n                       is available on the OFAC website. These procedures, however, are\n                       for financial institutions to determine the quality of the transactions\n                       with matches to OFAC\xe2\x80\x99s SDN list. These procedures do not\n                       represent procedures for OFAC officials to use to document the\n                       research and conclusions derived from its analyses, or the actions\n                       to be taken should actual matches be identified.\n\n                       Additional Concern Regarding OFAC Documentation\n\n                       At the audit exit conference, OFAC officials stated that they\n                       continuously and on a daily basis provide guidance to the public on\n\n\n10\n   Cautionary letters are issued when OFAC determines that neither a formal finding of violation nor a\ncivil penalty is warranted. These letters serve to place the institutions on notice that OFAC is concerned\nabout the conduct and that any such similar conduct in the future may result in a finding of violation or\nimposition of a penalty. In this case, OFAC made its decision based on the institutions\xe2\x80\x99 OFAC violation\nhistory, the volume of transactions processed by the institutions, and other factors as defined in\nEconomic Sanctions Enforcement Guidelines published in an interim final rule in Federal Register,\nVolume 73, Number 174, Monday, September 8, 2008.\n\n                       OFAC Should Have Better and More Timely Documented its Review              Page 18\n                       of Potential Sanctions Violations (OIG-10-045)\n\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n            potential matches to the SDN list. According to the officials, the\n            information provided is assessed and a determination is made\n            whether to pursue further inquiry. The officials also stated that\n            they do not keep a log of the contacts indicating the disposition of\n            each inquiry and cited resources as the reason for not maintaining\n            such a log. We believe that OFAC should reconsider this practice\n            and establish a log of all inquiries. Among other things, such a log\n            provides for a historical record should OFAC later be challenged\n            about actions taken on a particular matter referred to its office. It\n            also provides an important source of information that might be\n            useful to develop cases in the future.\n\nFinding 2   OFAC Needs to Determine, in Consultation with\n            Treasury\xe2\x80\x99s Office of Intelligence and Analysis, the\n            Appropriate Sensitivity Level of the Program\n\n            From the outset of our audit, OFAC officials told us that the\n            Fedwire Integrity Pilot Program was sensitive and that public\n            disclosure of it would cause harm to the government because the\n            program would be terminated and OFAC\xe2\x80\x99s relationship with the\n            Federal Reserve damaged. FRB-NY officials also told us the\n            program was sensitive from their perspective. When OFAC first\n            informed our office about the program in a November 2005\n            memorandum, the memorandum and its attachments were marked\n            \xe2\x80\x9cTreasury Sensitive But Unclassified.\xe2\x80\x9d However, other related\n            documentation provided by OFAC lacked any such markings.\n\n            We believe that the reasons cited by OFAC for treating the\n            program as sensitive are not compelling. We therefore believe that\n            OFAC needs to articulate and document why the SBU designation\n            is appropriate.\n\n            When Information Is to Be Marked as SBU\n\n            At Treasury, the SBU designation is used to identify information\n            whose release could adversely affect economic, industrial, or\n            international financial institutions or compromise unclassified\n            programs, Treasury essential operations, or critical infrastructures.\n\n            OFAC Should Have Better and More Timely Documented its Review   Page 19\n            of Potential Sanctions Violations (OIG-10-045)\n\n\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                       Information marked SBU is not meant for public release but is\n                       controlled or restricted in conducting official Treasury business.\n                       Access to SBU information is based on a determination that an\n                       employee or contractor requires access to perform or assist in\n                       lawful, authorized, Treasury governmental functions. Other aspects\n                       of SBU information include (1) individuals do not need a security\n                       clearance to access SBU information and (2) SBU information is not\n                       automatically exempt from the provisions of the Freedom of\n                       Information Act or the Privacy Act. Responsibilities and\n                       requirements related to the proper marking and handling of SBU\n                       information are prescribed in the Treasury Security Manual. 11\n\n                       OFAC Marked Certain Fedwire Integrity Pilot Program-Related\n                       Records as SBU\n\n                       The first time OFAC informed us about the Fedwire Integrity Pilot\n                       Program was in a November 30, 2005, memorandum from a\n                       former OFAC director to one of our auditors entitled \xe2\x80\x9cFedwire\n                       Integrity Pilot Program.\xe2\x80\x9d The memorandum included as attachments\n                       a series of e-mails from an FRB-NY official to OFAC summarizing\n                       the results of searches under the program. The earliest attached\n                       e-mail was dated August 10, 2004, and the latest attached e-mail\n                       was dated November 10, 2005. In that memorandum, which was\n                       marked along with the attachments as SBU, the former OFAC\n                       director stated the following:\n\n                          \xe2\x80\x9cI would like to emphasize the exceptional sensitivity of\n                          this program, which is being conducted on a voluntary\n                          basis. If the existence of the program were to be\n                          disclosed, we are confident that the program will be\n                          terminated and we will receive no further information.\xe2\x80\x9d\n\n                          \xe2\x80\x9cIn addition, disclosure of the program would likely cause\n                          irreparable damage to our productive relationship with the\n                          federal financial regulator at issue.\xe2\x80\x9d\n\n\n11\n  TD P 15-71, Chapter III, \xe2\x80\x9cInformation Security,\xe2\x80\x9d sections 23 and 24, \xe2\x80\x9cSensitive But Unclassified\n(SBU) Information.\xe2\x80\x9d\n\n                       OFAC Should Have Better and More Timely Documented its Review            Page 20\n                       of Potential Sanctions Violations (OIG-10-045)\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nThe memorandum did not state why OFAC was providing the OIG\nauditor with the information. However, the reason given our auditor\nby OFAC staff was that the results of the searches performed by\nthe FRB-NY evidenced a high degree of financial institution\ncompliance with OFAC requirements.\n\nReasons Cited for Program\xe2\x80\x99s Sensitivity\n\nWe sought to determine the reasons why OFAC considered the\nFedwire Integrity Pilot Program to be sensitive, and the basis for\nmarking the November 2005 memorandum SBU. We asked several\ncurrent and former OFAC officials about the need for secrecy about\nthe program.\n\nOne OFAC official stated that FRB-NY officials requested that the\nprogram be treated as sensitive. Similarly, another OFAC official\nstated the FRB-NY officials were very concerned about any\nrequirement that would weaken their primary mission of timely and\naccurate Fedwire data transfer.\n\nThe former OFAC Director, who signed the memorandum, said that\na sensitive designation was needed to maintain the integrity of the\nfinancial sector. He also said that FRB-NY officials believed that the\ninformation was sensitive because depository institutions would\nquestion why FRB-NY officials were conducting searches.\n\nWe also inquired of FRB-NY officials about their perspective on the\nsensitivity of the Fedwire Integrity Pilot Program. The officials\nconfirmed that they asked OFAC to treat this program as sensitive.\nThey cited business and proprietary reasons as the basis of their\nconcern.\n\nMost Program Documents Not Marked SBU\n\nDespite the sensitivity attributed to this program by OFAC, with\nthe one exception of the November 2005 memorandum to our\nauditor, no other documents provided by OFAC during our audit\nwere marked SBU or otherwise marked as sensitive in accordance\n\nOFAC Should Have Better and More Timely Documented its Review   Page 21\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                       with Treasury policy. These included (1) the eight e-mails that were\n                       sent from the FRB-NY officials to OFAC officials with the potential\n                       suspicious transactions resulting from the program, (2) the\n                       computer-generated documents attached to these e-mails that\n                       listed the transactions resulting from the search of Fedwire\n                       transactions with the SDN listing, and (3) a draft document of the\n                       pilot program. 12\n\n                       Conclusion\n\n                       After considering the comments of current and former OFAC\n                       officials, we do not see the adverse impact that could result from\n                       public disclosure of this program. That FRB-NY voluntarily selected\n                       a limited number of names from the SDN list provided by OFAC to\n                       identify transactions containing potential matches to the SDN list\n                       which were processed through Fedwire for review by OFAC would\n                       appear to be nothing more than one more layer of compliance\n                       testing of the financial system. In concept, we believe this to be a\n                       good idea. What OFAC did with the information provided by FRB-\n                       NY is a matter that should be part of the public record, barring any\n                       legal restrictions, of which we are aware of none. We also do not\n                       see the concerns raised in the former Director\xe2\x80\x99s November 2005\n                       memorandum and expressed to us during our audit as compelling\n                       reasons for OFAC\xe2\x80\x99s position that the program was very sensitive.\n\n                       However, we do believe it prudent for OFAC to consult with the\n                       Office of Intelligence and Analysis to determine whether the\n                       characteristics of the program meet the Treasury criteria for\n                       designating the program as SBU. 13 In the interest of government\n                       accountability and transparency, we also believe it is essential that\n                       OFAC maintain a complete record of the basis and parties\n                       responsible for making a decision to treat the program as sensitive\n12\n   As stated earlier, this document was marked \xe2\x80\x9cdraft-confidential,\xe2\x80\x9d which is not a marking that accords\nwith Treasury policy.\n13\n   In accordance with Treasury Directive 105-19, the Assistant Secretary for Intelligence and Analysis is\nthe senior agency official for the Department of the Treasury authorized to delegate original Secret or\nConfidential classification authority in conformance with the requirements of Executive Order 12958, as\namended. This order prescribes a uniform system for classifying, safeguarding, and declassifying\nnational security information, including information relating to defense against transnational terrorism.\n\n                       OFAC Should Have Better and More Timely Documented its Review             Page 22\n                       of Potential Sanctions Violations (OIG-10-045)\n\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n           or otherwise shielded from the public. We also feel that programs\n           of this nature need to have strong controls in place that carefully\n           document all activities and ensure that no abuses take place.\n\n\nRecommendations\n           We recommend the OFAC Director do the following:\n\n           1. Establish policies, procedures, and controls for reviewing\n              inquiries about potential matches to the SDN list, to include\n              documenting the research and conclusions derived from its\n              analyses and actions to be taken based on the identification of\n              transactions with actual matches. The policies, procedures, and\n              controls should provide for appropriate safeguards to ensure\n              compliance with applicable U.S. laws.\n\n              Management Response\n\n              OFAC agreed that assessing potential matches to the SDN list is\n              a vital function for OFAC, both internally and in its outreach and\n              compliance functions. To that end, OFAC has detailed\n              procedures for reviewing inquiries about potential SDN matches.\n              These procedures, which are posted on its Website, set out two\n              methods to be used in assessing potential matches, one for wire\n              transfers and the other for customer accounts. These are the\n              same procedures that OFAC uses for purposes of internal\n              analysis and for responding to inquiries received each year from\n              the private sector about potential matches to the SDN list.\n              OFAC's employees are responsible for determining if potential\n              matches are likely to be true hits and, in most cases, are able to\n              make such determinations with very little time or effort.\n\n              Based on the criteria described above, according to OFAC, it\n              was determined very quickly that the great majority of the\n              transactions transmitted by FRB-NY were either false positives\n              or were authorized by OFAC. The SDN match and OFAC\xe2\x80\x99s\n              follow-on actions for the one \xe2\x80\x9ctrue hit\xe2\x80\x9d were well documented\n              and resulted in a Cautionary Letter to the financial institution\n\n           OFAC Should Have Better and More Timely Documented its Review   Page 23\n           of Potential Sanctions Violations (OIG-10-045)\n\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n   that handled the payment. With respect to OFAC\n   documentation procedures more generally, OFAC does not log\n   referred questions that are quickly resolved as false hits, as\n   such, because they generally do not provide value to the office.\n   On the other hand, OFAC carefully documents authenticated\n   hits that are blocked or rejected. These hits are entered into\n   OFAC\xe2\x80\x99s database of blocked and rejected transactions and\n   reviewed for the involvement of any U.S. persons. Individual\n   case files are created for potential violations of U.S. sanctions\n   law and are referred for enforcement action as appropriate.\n\n   OIG Comment\n\n   OFAC\xe2\x80\x99s description of its process for reviewing inquiries and\n   documenting its review of those inquiries is a reasonable\n   approach. Although published for use by the public, we agree\n   that the procedures that OFAC has posted on its Website for its\n   internal review of potential SDN matches provide sufficient\n   guidance for OFAC employees to review these transactions. We\n   also understand that documenting every single false hit may not\n   be of value to OFAC if the transactions have been reviewed in\n   accordance with these procedures and found not to be a\n   violation of law. As OFAC officials described during our review,\n   OFAC receives a number of inquiries from car dealers and the\n   like concerning individuals who may have the same name as a\n   person on the SDN list, but based on other information such as\n   date of birth or address, it is clear to OFAC that the individual is\n   not the same person on the SDN list. It is these types of\n   inquiries that are not documented according to OFAC officials.\n\n   Although we consider OFAC\xe2\x80\x99s described approach as\n   reasonable, OFAC\xe2\x80\x99s response is less than complete in that it\n   does not specifically address the documentation weaknesses\n   we found during our audit. In that regard, we want to\n   emphasize the importance for OFAC to institutionalize in writing\n   its internal policies, procedures, and controls to ensure the\n   actions described in its response are in fact done, and\n   appropriate documentation is maintained. Such documentation,\n\nOFAC Should Have Better and More Timely Documented its Review   Page 24\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n   both of the procedures applied and the results, was sorely\n   lacking with respect to its activities with the Fedwire Integrity\n   Pilot Program at the time of our review. OFAC\xe2\x80\x99s operating\n   practices in this regard therefore remains an area of concern\n   and is the subject of planned future audit work by our office.\n\n2. Inform our office of this report\xe2\x80\x99s sensitivity level and specific\n   information that cannot be disclosed and why. This\n   recommendation should be given immediate attention.\n\n   Management Response\n\n   The underlying program has been properly determined to be\n   SBU pursuant to the Treasury Security Manual. OFAC does not\n   believe that the report, given its singular focus on a sensitive\n   program at a unique institution, could be properly redacted to\n   prevent the public disclosure of the identity of FRB-NY and the\n   actions it took as part of the program.\n\n   OIG Comment\n\n   During our audit, we held extensive discussions with OFAC on\n   the sensitivity level of the Fedwire Integrity Program and this\n   report. In recognition of the fact that OFAC is the responsible\n   office for program information, we accept OFAC\xe2\x80\x99s\n   determination that this report should be designated SBU and\n   have marked it accordingly.\n\n3. Periodically reassess in conjunction with FRB-NY whether the\n   Fedwire Integrity Pilot Program should be re-established.\n\n   Management Response\n\n   OFAC stated that it will reassess with FRB-NY whether the\n   program should be re-established.\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review    Page 25\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n   OIG Comment\n\n   We consider OFAC\xe2\x80\x99s planned action responsive to our\n   recommendation. OFAC will need to establish a timeframe for\n   the planned reassessment, and record the date for completing\n   action on this recommendation in JAMES.\n\n4. In consultation with the Office of Intelligence and Analysis,\n   determine the proper sensitivity level of the Fedwire Integrity\n   Pilot Program and maintain written documentation of that\n   determination and the basis for it.\n\n   Management Response\n\n   OFAC met with Treasury\xe2\x80\x99s Office of Security Programs to\n   determine the sensitivity level of the Fedwire Integrity Pilot\n   Program. OFAC was advised that the Program is and had been\n   properly deemed SBU pursuant to the Treasury Security Manual\n   because the details of the program, if publicly disclosed, could\n   have an adverse impact on the operations of FRB-NY and could\n   compromise an unclassified program to monitor financial\n   institution compliance with national security sanctions programs\n   administered by OFAC.\n\n   OIG Comment\n\n   In recognition of the fact that OFAC is the responsible office for\n   program information, we accept OFAC\xe2\x80\x99s determination that the\n   sensitivity level of the Fedwire Integrity Pilot Program is SBU.\n\n5. As appropriate to the sensitivity level determined in accordance\n   with recommendation 4, ensure that all related program records\n   at OFAC are marked and secured in accordance with the\n   Treasury Security Manual. This applies not only to current\n   records but also to records that may be created if the Fedwire\n   Integrity Pilot Program is re-established at a future date.\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 26\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n   Management Response\n\n   OFAC notified its staff involved in this project about the proper\n   marking and handling of documents related to the program. SBU\n   program documentation is and has been secured in accordance\n   with the Treasury Security Manual and a September 2008\n   memorandum from Treasury\xe2\x80\x99s Office of Security Programs\n   Director. This documentation is stored in areas that have\n   physical access controls to afford adequate protection to\n   prevent unauthorized access by visitors and others without a\n   need for such access. Treasury and bureau e-mail systems also\n   have sufficient safeguards to transmit SBU information.\n\n   OIG Comment\n\n   OFAC\xe2\x80\x99s notification to its staff is responsive to our\n   recommendation. We recognize that OFAC offices are in\n   secured facilities. That said, proper markings are essential as\n   well to prevent unauthorized or inadvertent disclosure.\n\n                                 * * * * *\n\nWe would like to extend our appreciation to OFAC for the\ncooperation and courtesies extended to our staff during the audit.\nIf you have any questions, please contact me at (617) 223-8640 or\nSharon Torosian, Audit Manager, at (617) 223-8642. Major\ncontributors to this report are listed in appendix 3.\n\n\n\n\n/s/\nDonald P. Benson\nAudit Director\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 27\nof Potential Sanctions Violations (OIG-10-045)\n\n\n         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n                      Appendix 1\n                      Objectives, Scope, and Methodology\n\n\n\n\n                      The objectives of our audit were to determine (1) how the Office of\n                      Foreign Assets Control (OFAC) used the results of the Fedwire\n                      Integrity Pilot Program to broadly assess financial institutions\xe2\x80\x99\n                      compliance with its sanction programs and (2) whether OFAC took\n                      enforcement action when a violation was identified from the FRB-\n                      NY referrals. Our audit was initiated after we received information\n                      during a prior audit about information on transactions containing\n                      potential matches to Specially Designated Nationals and Blocked\n                      Persons (SDN) which were identified by the Fedwire Integrity Pilot\n                      Program. 14 We wanted to determine why the Federal Reserve Bank\n                      of New York (FRB-NY) initiated the Fedwire Integrity Pilot Program,\n                      what the program\xe2\x80\x99s results showed, and what OFAC did with the\n                      results.\n\n                      We reviewed laws, regulations, and guidance associated with\n                      OFAC\xe2\x80\x99s sanction programs, consumer privacy, and suspicious\n                      activity reporting. We asked OFAC for its policies and procedures\n                      related to the Fedwire Integrity Pilot Program and were told there\n                      were none. OFAC did provide a draft proposal for the program\n                      prepared by the FRB-NY, which we reviewed.\n\n                      We requested documentation from both OFAC and FRB-NY relating\n                      to the program, which was conducted from June 2004 through\n                      January 2006. We reviewed FRB-NY documentation provided to\n                      OFAC for potential matches to the SDN list identified in the eight\n                      sets of results for searches that FRB-NY conducted during 2004,\n                      2005, and 2006. We asked OFAC for any documentation of\n                      follow-up by OFAC; OFAC officials told us that such\n                      documentation did not exist.\n\n                      During our fieldwork from November 2007 and March 2008, we\n                      did not receive evidence that OFAC reviewed the results of the\n                      program or documentation that enforcement actions were taken. It\n                      was at the June 2009 exit conference that OFAC officials provided\n\n14\n  Foreign Assets Control: Actions Have Been Taken to Better Ensure Financial Institution Compliance\nWith OFAC Sanction Programs, But Their Effectiveness Cannot Yet Be Determined, OIG-07-048\n(Sep. 20, 2007).\n\n\n                      OFAC Should Have Better and More Timely Documented its Review           Page 28\n                      of Potential Sanctions Violations (OIG-10-045)\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\ndocumentation in the form of sticky notes with handwritten\ncomments dated November 29, November 30, and December 12,\n2007, concluding that in all but one instance the hits either did not\nmatch the SDN list or were otherwise authorized by OFAC.\n\nA second set of documentation was provided to us in response to\na recommendation in our May 2009 discussion draft report to\ninvestigate the potential matches FRB-NY provided to OFAC in the\nyears 2004, 2005, and 2006, and document the results. This was\nnot deemed to be sufficient documentation to provide a historical\nrecord of the program.\n\nWe were also told at the exit conference that in 2008 OFAC had\ntaken an enforcement action based on the results of a Fedwire\nIntegrity Pilot Program hit that occurred in 2005. The enforcement\naction was in the form of cautionary letters to the institutions\nwarning that another violation would be dealt with more strongly.\nOFAC officials provided us with an e-mail to document this action.\n\nWe interviewed OFAC officials at their headquarters in Washington,\nD.C. We also interviewed FRB-NY officials in New York City. These\ninterviews were arranged through the Office of Inspector General\nof the Board of Governors of the Federal Reserve System. In\naddition, we interviewed two former directors of OFAC, other\nformer OFAC officials, and a former Department of the Treasury\nofficial, all of whom were knowledgeable about the program.\nFurther, we attempted to interview a former OFAC employee who\nOFAC officials told us had analyzed the referrals from FRB-NY in\nNovember and December 2007. We exchanged correspondence\nwith the individual during July and August 2009 to arrange an\ninterview but this individual was ultimately unresponsive to our\ninterview request.\n\nWe performed our fieldwork from November 2007 to March 2008\nin accordance with generally accepted government auditing\nstandards.\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 29\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 2\nManagement Response\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 30\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 2\nManagement Response\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 31\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 2\nManagement Response\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 32\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 2\nManagement Response\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 33\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\nAppendix 3\nMajor Contributors To This Report\n\n\n\n\nSharon Torosian, Audit Manager\nTimothy Cargill, Auditor\nNikole Solomon, Auditor\nAbdirahman Salah, Referencer\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 34\nof Potential Sanctions Violations (OIG-10-045)\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\x0c           SENSITIVE BUT UNCLASSIFIED\n\nAppendix 4\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\nDeputy Secretary\nUnder Secretary for Terrorism and Financial Intelligence\nOffice of Strategic Planning and Evaluations\nOffice of Accounting and Internal Control\n\nOffice of Foreign Assets Control\n\nDirector\n\nOffice of Management and Budget\n\nOIG Budget Examiner\n\n\n\n\nOFAC Should Have Better and More Timely Documented its Review   Page 35\nof Potential Sanctions Violations (OIG-10-045)\n\n\n           SENSITIVE BUT UNCLASSIFIED\n\x0c"